OWNE! i like that number 😀

14:43 OWNE ≠ 1 Linus.. 🤭

14:41 – 14:49 "Using code "five foot one", that's one word, all one word, "F-I-V-E… F-O-O-T… O-W-N-E"🤨😂

Welcome back! ✌🏻

Ah classic session token. One of the first things we check in these circumstances at work. Reject and signout all sessions! 😅

Well same happened with me, i lost 45 dollars this way, 45 dollars may not be anything for you but for me it was everything 🙁

Just ditch Winbugs an security will be improved

f-i-v-e-f-o-o-t-o-w-n-e

Google Security is so odd! High security in low-priority things and Low-security in these type of high value things.

Example-
My brother-in-law, single Android Mobile user with no PC, bought a new android mobile with exchange offer for discount.
When he tried to setup and login in the new mobile with known username and password, Google was asking for old mobile for verification!

I hope that was his wife in the video trying to help him?

Pls use Mac or Linux for your Relationship Team Members whos work is only handling emails and pdf etc.
This will block any script/exe execution.

Is it just me or did linus just spelled ONE as O-W-N-E?

Close one

imagine not running mission-critical / high security required systems on linux LOOOOOOOOL

Dont you guy have a backup database?

SMS 2FA has been long known to be problematic since if an attacker knows your phone number they can hijack it to receive your SMSs. Using an authenticator app does not have this vulnerability.

Authy is a bit problematic since you can access it from multiple devices, which defeats the security in a way. Keeping your authenticator app on one device, and making sure that device is a locked down one such as a smartphone, helps protect your 2FA.

Session tokens don't just keep you logged in when you close your browser, they keep you logged in period. Back in the day when HTTPS was only used for login forms and HTTP was used for normal site content, a session token was essential for ensuring your browser did not need to send your password over HTTP with every request. Now, it's the gold standard for how to handle sessions, even though HTTPS is recommended for use for all site traffic now.

Google does track what IPs you visit their sites from on this page: https://myaccount.google.com/device-activity

It's not clear to me why they don't limit sessions to at least an IP block or a resolved location if not a single IP. Maybe too many false positives for detecting location changes. Or for users who hop on/off of a VPN Google would rather not require them to log in all the time.

Another thing YouTube could do (I don't recall seeing any such feature, I don't operate a big channel though) is provide the channel owner with a log showing changes they and other users they've granted access to the channel have done with the channel recently. This would allow for easy identification of a compromised account like LTT experienced, and he could shut off access quickly. Focus can then be moved to cleanup of the channel and having the user reclaim and secure their account.

It sounds like this feature exists for their internal teams, so it should be possible to expose a similar feature for channel owners.

Restricting access would help a lot too but as you noted, in practice most users find this bothersome and don't bother to set up such features properly. From what I've seen YouTube tries to strike a balance, offering a small selection of roles which you can easily select for a user account. They could offer more granular controls but again there is the risk it would be too intimidating for most users who may abandon the idea of securing access entirely.

You mention running into glitches and bugs trying to resecure the channel. It's possible some or all of these were intentionally caused by the hacker trying to slow you down. Of course YouTube can always improve the stability of their tools, but often times you can make a tool 99.999% secure and the other 0.001% happens rarely enough to not worth the time to fix… until a malicious hacker figures out how to trigger it 100% of the time. That said this is just speculation on my part and it could just entirely be normal functionality of the tool to have those issues.

Currently Google requires you to relogin if you want to change your password, and many sites do the same for changing your email address. This makes sense as it can be a point of no return for control of your account if it is a malicious individual making the change. Changing a channel name and icon doesn't seem to me to fit in that same category. Furthermore it wouldn't have stopped the scammer from running his livestream. Heck, the channel name/icon change was probably done automatically by a tool… if it had been done manually, a scammer may have wanted to KEEP your branding. So I don't think it would necessarily help anything to lock those things behind a password. Anything that could lock the owner out of the channel, of course, should be behind a password.

Hindsight is 20/20 when it comes to ideas like limiting actions which are more likely to be done by a malicious user, like bulk deleting videos. Honestly that is probably not going to help too much since an attacker can simply craft a tool to bulk delete videos while they look like individual video deletions to bypass any such limit. Given the scale of YouTube and the number of users and amount of content, it's not clear if Google could try to cat-and-mouse this to detect such things or not. Either way, it sounds like they can undo deletions and changes, which is probably their official stance on how to handle these types of breaches. Doesn't matter if the videos were deleted when it can be undone very easily by Google.

Banks and other similar sites invalidate sessions very aggressively. I actively look for ways around it sometimes because it's so annoying since it feels like it gets in the way. It's important not to put security measures in place which encourage users to try and subvert them! That said Google could probably do more with requiring login if your IP changes to something unusual.

There's possible applications using AI to determine if a user's actions fit with their existing pattern of actions or not. From things like low level mouse/keyboard patterns to high level actions taken, to what IP and browser fingerprint they're connecting from.

Wow Linus you have some huge strawberries! Nice

LOL so it was good old MoneyOffer.pdf.exe

Session tokens are supposed to have a built in expiry.

This is how they steal roblox accounts and items. They ask for your avatar outfit to get it started.

FIVEFOOTOWNE

anyone else catch when he spelled “one” “O W N E”

he got tech tip'd